In situ and network-based transaction classifying systems and methods

ABSTRACT

Various embodiments herein each include at least one of systems, methods, and software for in situ and network-based transaction classification. Such embodiments use advanced data analytics and machine learning techniques of consumer&#39;s transaction attributes to reduce shrink at checkout. One embodiment, in the form of a method, includes processing a dataset of transactions to identify normal transaction patterns and processing a dataset of transactions that included known fraud to identify variation patterns between the identified normal transaction patterns and the data of each transaction. The method further includes generating at least one pattern model based on the identified normal transaction patterns and the identified variation patterns. In such embodiments, each pattern model typically includes classification values for determining a likelihood of fraud in transactions. The method continues by applying the model to a current transaction to calculate a score indicative of a likelihood of fraud and outputs the score.

BACKGROUND INFORMATION

Improving customer service and productivity at checkout continues to bea major strategy for retailers looking to grow in a competitivemarketplace. Often, retailers need to balance these benefits against thenecessity to provide security at checkout. Theft, or “shrink” (i.e.,intentionally and unintentional), presents a confound to high checkoutproductivity as closely monitoring can be laborious and off-putting tocustomers, the vast majority of which are not involved in any illicitbehavior.

Traditionally, a retailer's Loss Prevention team uses tellers orsecurity personnel present at checkout, manual video surveillance tomonitor the checkout process, or electronic article surveillance (EAS)tags on items to prevent shrink. However, having a person present andthe manual video monitoring approach are labor intensive and, perhaps,are not completely practical to deter shrink at stores with a largenumber of point of sale (POS) devices. Further, thieves have learned howto circumvent EAS tags. Other non-traditional methods to prevent shrinkat checkouts include video analytics or computer vision detection.Companies that provide these shrink detection methods include, forexample, StopLift and Everseen. These methods can be effective, butrequire the theft events to be in clear sight of existing camera viewsor may require an additional investment of cameras at each POS. Also,until video analytic technology improves, most shrink detection videoimplementations include a manual validation step to confirm the eventbefore taking actions. At self-service checkout (SSCO), most vendors,such as NCR, provide weight based item security and some vendors haveversions of visual analysis, e.g., NCR's SmartAssist, Produce Assurance,and PickList Assist. However, many large retailers have disabled weightbased item security in favor of allowing customers to be more productiveand improve their experiences by significantly reducing attendantinterventions. Furthermore, the visual analysis methods typically dependon the customer placing the item on or pass it by the scanner, but manyshrink events at SSCOs involve the customer skipping the scanner andbagging item directly or leaving items in the shopping cart. Similartheft can also occur at teller-assisted checkout stations, such as amongfriends or by disgruntled employees.

Current solutions for detecting shrink, or at least a certain likelihoodtherefore, while helpful, remain deficient.

SUMMARY

Various embodiments herein each include at least one of systems,methods, and software for in situ and network-based transactionclassification. Such embodiments use advanced data analytics and machinelearning techniques of consumer's transaction attributes to reduceshrink at checkout, including both self-service and staffed (cashier)registers, i.e., SSCO and teller-assisted checkouts.

One embodiment, in the form of a method, includes processing a datasetof transactions to identify normal transaction patterns and processing adataset of transactions that included known fraud to identify variationpatterns between the identified normal transaction patterns and the dataof each transaction. The method further includes generating at least onepattern model based on the identified normal transaction patterns andthe identified variation patterns. In such embodiments, each patternmodel typically includes classification values for determining alikelihood of fraud in transactions. The method continues by applyingthe model to a current transaction to calculate a score indicative of alikelihood of fraud and outputs the score.

Another method embodiment includes generating a model from patternsidentified in normal and fraudulent transaction data. Each of suchidentified patterns typically includes a classification value thatcontributes to a transaction classification value indicating alikelihood of fraud in a given transaction. This method further includesapplying the model to a current transaction to obtain classificationvalues to calculate a transaction classification value indicating alikelihood of fraud in the current transaction and then outputting thescore as an indicator of potential fraud.

A further embodiment in the form of a point-of-sale (POS) systemincludes a processor and a memory device. The memory device of suchembodiments stores instructions executable by the processor to performdata processing activities. The data processing activities may includeapplying a model to a current transaction to obtain classificationvalues to calculate a transaction classification value indicating alikelihood of fraud in the current transaction. This model includes datarepresentations of patterns in normal and fraudulent transaction dataand each pattern includes a classification value that contributes to atransaction classification value indicating a likelihood of fraud in agiven transaction. The data processing activities also includeinterrupting operation of the POS system when a transactionclassification value exceeds a threshold indicating a likelihood offraud.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block flow diagram of a method, according to an exampleembodiment.

FIG. 2 is a logical block diagram of a system architecture, according toan example embodiment.

FIG. 3 is a block flow diagram of a method, according to an exampleembodiment.

FIG. 4 is a block diagram of a computing device, according to an exampleembodiment.

DETAILED DESCRIPTION

The pecuniary value of interest that is the subject of retailer shrinkis quite substantial. As an illustration, The National Retail Federationand University of Florida estimated that overall shrinkage, at checkoutand other locations in the store, at U.S. retailers in 2015 was $45.2billion. Furthermore, U.S. retail industry shrink is getting worse as2015 losses were $1.2 billion more than in 2014. The various embodimentsherein operate to reduce this shrinkage cost for retailers. It isestimated that the embodiments herein, when used as a module of alayered security approach, can help detect an incremental 0.5% to 1% ofshrink events. Based on the above 2015 U.S. retail cost of shrinkage,the potential savings to the U.S. retailer industry, if widely adopted,could be approximately $225 to $450 million annually.

The embodiments herein present systems and methods using advanced dataanalytics and machine learning techniques to alert retailers, in realtime, to potential shrink events at checkout based on basket itempatterns and customer characteristics. When such embodiments aredeployed as part of a layered security approach augmenting currentshrink mitigation methods, shrink prevention security becomes quiterobust. The predictive embodiments herein can be used to increase theeffectiveness of other shrink detection/monitoring solutions by focusingthose resources in real-time when and where shrink is most likelyoccurring.

In the following detailed description, reference is made to theaccompanying drawings that form a part hereof, and in which is shown byway of illustration specific embodiments in which the inventive subjectmatter may be practiced. These embodiments are described in sufficientdetail to enable those skilled in the art to practice them, and it is tobe understood that other embodiments may be utilized and thatstructural, logical, and electrical changes may be made withoutdeparting from the scope of the inventive subject matter. Suchembodiments of the inventive subject matter may be referred to,individually and/or collectively, herein by the term “invention” merelyfor convenience and without intending to voluntarily limit the scope ofthis application to any single invention or inventive concept if morethan one is in fact disclosed.

The following description is, therefore, not to be taken in a limitedsense, and the scope of the inventive subject matter is defined by theappended claims.

The functions or algorithms described herein are implemented inhardware, software or a combination of software and hardware in oneembodiment. The software comprises computer executable instructionsstored on computer readable media such as memory or other type ofstorage devices. Further, described functions may correspond to modules,which may be software, hardware, firmware, or any combination thereof.Multiple functions are performed in one or more modules as desired, andthe embodiments described are merely examples. The software is executedon a digital signal processor, ASIC, microprocessor, or other type ofprocessor operating on a system, such as a personal computer, server, arouter, or other device capable of processing data including networkinterconnection devices.

Some embodiments implement the functions in two or more specificinterconnected hardware modules or devices with related control and datasignals communicated between and through the modules, or as portions ofan application-specific integrated circuit. Thus, the exemplary processflow is applicable to software, firmware, and hardware implementations.

FIG. 1 is a block flow diagram of a method 100, according to an exampleembodiment. The method 100 provides a high-level perspective of aprocess according to some embodiments. Some such embodiments use datamodeling of customer market basket data, that is items presented atcheckout for purchase, to gain insight into the normal relationshipsbetween customer transaction characteristics and high theft items. Next,these embodiments analyze detailed market basket data from customertransactions where shrink occurred, such as where a store's LossPrevention team intervened to stop the theft or theft or customer orstaff error/oversight/other mistake led to shrinkage, to learn potentialconnections between basket data, types of shrink practices. Types ofshrink practice may include item substitution, double stacking products,masking universal product codes, combinations of products, and customercharacteristics, among others. Insights from this analysis allows forcreation of one or more analytic models using machine learningalgorithms, which may include one or more of correlation analysis,logistic regression, neural networks and others, to predict, or score,the likelihood of shrink for a future transaction based on customer andtransaction characteristics. Such embodiments build models eachincluding one or more data representations of patterns of normal andshrink-related transactions to automate shrink prediction in real timeto provide alerts to the retailer. The alerts may include POS terminalinterrupts requiring store personnel for clearing, directing videomonitoring personnel to watch the POS terminal, directing personnel tothe POS terminal, and the like.

As discussed above, the first step is to mine 102 the retailer detailedPOS and basket data to learn the relationships in the form of patternsbetween customer and transaction characteristics with high theft itemswhen customers purchase these items. The mining 102 is performed togenerate 104 a model including the learned patterns for an analyticframework of transactions from paying customers that include high theftitems. The generated 102 model includes data representation of patternsidentified in normal, non-shrink transactions and transactions confirmedto include shrink. The detailed POS data may include, for example:

-   -   a. Store ID;    -   b. Store banner or region ID;    -   c. Transaction ID;    -   d. Register ID;    -   e. Date;    -   f. Time;    -   g. Cashier ID or self-checkout attendant ID;    -   h. Transaction cancellation event (cancelled, e.g., “1” or not,        e.g., “0”);    -   i. Items (or SKU) ID;    -   j. Items description;    -   k. Items price ($);    -   l. Voided event;    -   m. Quantity key event;    -   n. Payment type: Cash, Credit card by type (e.g., Coles card,        American Express, MasterCard, etc.), debit, check, EBT, others;    -   o. Client loyalty card ID;    -   p. Number of coupons;    -   q. Shrink indicator (True/1 indicating an actual or attempted        theft/shrink,    -   False/0 indicating normal transaction); and    -   r. Others.

Once transaction patterns are generated 104 into a model which is thentested and validated, the model is provided 106 to a processing enginethat evaluates transaction data in near or actual real-time to identifywhen a shrink event is occurring. The near or actual real-timemonitoring of transaction may be implemented as an add-on application toa retailers POS software systems, through a network accessible cloudapplication or mobile application to alert a self-checkout attendant ora front-end supervisor to potential transactions where shrink may beoccurring using the current item and transaction characteristics.Detection of a possible shrinkage event may also or alternatively betransmitted to another shrink-prevention solution, such as an image orvideo processing system that processes images or video to identify orconfirm attempted theft or other system involved in shrinkageprevention. The cloud based solution may be implemented on a networkaccessible server that is located in a store, in a backend system of astore or a chain of stores, be hosted by a shirk detection serviceprovider, and the like.

Such embodiments are flexible and easily calibrated to a retailer'sunique domain by generating models that allows for model generation 102for individual stores, regions where stores are located, specificterminals, and the like. Some such embodiments may also be enhanced bysegmenting a retailer's store network into categories by banners orregional segments based on different types of customer categorization,customer shopping patterns (time of day, day of week, etc.), or by mostcommonly stolen items.

Of particular note is that it is difficult for a single shrink detectionsystem to prevent all occurrences of shrink at checkout. As such, thepresent embodiments, such as the method 100 may be implemented byretailers as one of a multiple-layer defense to mitigate shrinkage atcheckout. These embodiments are an ideal extension to existing practicesto provide a layered approach to help mitigate shrink at checkout.

FIG. 2 is a logical block diagram of a system 200 architecture,according to an example embodiment. The system 200 is a system on whichtransactions are conducted and from which data is gathered for whichpatterns of normal and fraudulent, shrink-related transactions areidentified and models built from. The generated models are then pushedback down to be made available to classify transactions in actual ornear real-time.

The system 200 includes a store 202 in which one or more POS terminals204, 206, 208 are deployed. The POS terminals 204, 206, 208 may be oneor a mix of teller/cashier assisted or SSCO terminals. Transactions areconducted on the POS terminals 204, 206, 208 and data collected in adatabase, such as transaction database 212 or 222. Transaction data maybe tagged as being a transaction that involved shrinkage such as theft,item substitution, failure to scan (intentional or accidental), and thelike. The POS terminals 204, 206, 208 may have a model deployed theretoor as may be accessed through a service provided by a store server 210or by a store or chain server or cloud service 220. The model isgenerated form the transaction data stored in one or both of thetransaction databases 212, 222. The model is typically generated toidentify patterns in normal, non-fraudulent transactions andtransactions confirmed to include shrinkage or other fraud. The patternsare then assembled into a model that is then deployed as discussedabove. The model may then be used to determine a likelihood of shrinkageor other fraud being involved in a current transaction at one of the POSterminals 204, 206, 208.

The model may be applied to transaction data on one or more of the POSterminals 204, 206, 208, the store server 210, and the server 220. Whena potential for fraud is identified, such s when a scoring algorithmassociated with the model reaches a threshold for a current transaction,various actions may be taken. For example, an interrupt may becommunicated to the POS terminal 204, 206, 208 on which the transactionis being conducted requiring attendant or supervisor intervention tocontinue, security personnel or other personnel may be alerted, data ofthe potential for shrinkable or other fraud may be communicated toanother shrinkage mitigation or other security system where amulti-layered security approach is installed, and the like.

FIG. 3 is a block flow diagram of a method 300, according to an exampleembodiment. The method 300 is an example of a method that may beperformed in whole or in part on a POS terminal, a store server, anotherserver or other computing device that has or has access to transactiondata of normal retailer transactions and transactions confirmed toinclude fraud. The method 300 includes processing 302 a dataset oftransactions to identify normal transaction patterns and processing 304a dataset of transactions that included known fraud to identifyvariation patterns between the identified normal transaction patternsand the data of each transaction. The method 300 further includesgenerating 306 at least one pattern model based on the identified normaltransaction patterns and the identified variation patterns. In suchembodiments, each pattern model includes classification values fordetermining a likelihood of fraud in transactions. The method 300 alsoincludes applying 308 the model to a current transaction to calculate ascore indicative of a likelihood of fraud, which may include shrinkage.The method 300 may then output 310 the score.

The datasets that are processed 302, 304 may be from a specific store, aspecific POS terminal in the store, a city or other region, all storesin a chain, many stores of the same type (e.g., grocery or discountretailer), or other group. The datasets that are used are stores or thetypes of stores where the generated 306 model will be applied 308.

In some embodiments of the method 300, data of a transaction within thedatasets of transactions includes a plurality of data items includingdata identifying at least one product ID, a date and time, and a pointof sale terminal identifier. In some such embodiments, the data of atransaction includes additional data including data identifying,directly or indirectly, customer data. The customer data may includepayment type and amount data, demographic data, purchase history data.

In another embodiment of the method 300, applying 308 the model to acurrent transaction includes comparing current transaction data topatterns represented in the model to obtain a score indicative of alikelihood of fraud being present in the current transaction. In somesuch embodiments, a score is obtained from the current transaction datawith regard to at least some of the patterns represented in the modelbased on the classification values of the respective patterns andpotential fraud is indicated when a sum of the pattern scores is greaterthan a sum threshold. In some such embodiments, potential fraud may alsobe indicated when an individual pattern score or a sum of a specificgroup of pattern scores is greater than a threshold for the respectiveindividual pattern or the specific group of patterns.

In the method 300, outputting 310 the score may include outputting anindicator of potential fraud. In some of these embodiments, the output310 score may then be combined with a score received or derived fromdata received from another process, such as another security systemdeployed to reduce shrinkage. In such embodiments, when the combinedscore is greater than a threshold, the method 300 includes outputting anintervention interrupt to a point-of-sale terminal where the transactionis being conducted.

FIG. 4 is a block diagram of a computing device, according to an exampleembodiment. In one embodiment, multiple such computer systems areutilized in a distributed network to implement multiple components in atransaction based environment. An object-oriented, service-oriented, orother architecture may be used to implement such functions andcommunicate between the multiple systems and components. One examplecomputing device in the form of a computer 410, may include a processingunit 402, memory 404, removable storage 412, and non-removable storage414. Memory 404 may include volatile memory 406 and non-volatile memory408. Computer 410 may include—or have access to a computing environmentthat includes—a variety of computer-readable media, such as volatilememory 406 and non-volatile memory 408, removable storage 412 andnon-removable storage 414. Computer storage includes random accessmemory (RAM), read only memory (ROM), erasable programmable read-onlymemory (EPROM) & electrically erasable programmable read-only memory(EEPROM), flash memory or other memory technologies, compact discread-only memory (CD ROM), Digital Versatile Disks (DVD) or otheroptical disk storage, magnetic cassettes, magnetic tape, magnetic diskstorage or other magnetic storage devices, or any other medium capableof storing computer-readable instructions. Computer 410 may include orhave access to a computing environment that includes input 416, output418, and a communication connection 420. The computer may operate in anetworked environment using a communication connection to connect to oneor more remote computers, such as database servers. The remote computermay include a personal computer (PC), server, router, network PC, a peerdevice or other common network node, or the like. The communicationconnection may include a Local Area Network (LAN), a Wide Area Network(WAN) or other networks.

Computer-readable instructions stored on a computer-readable medium areexecutable by the processing unit 402 of the computer 410. A hard drive,CD-ROM, and RAM are some examples of articles including a non-transitorycomputer-readable medium. For example, a computer program 425 capable ofperforming the method 100 of FIG. 1 or the method 300 of FIG. 3.

It will be readily understood to those skilled in the art that variousother changes in the details, material, and arrangements of the partsand method stages which have been described and illustrated in order toexplain the nature of the inventive subject matter may be made withoutdeparting from the principles and scope of the inventive subject matteras expressed in the subjoined claims.

What is claimed is:
 1. A method comprising: processing, on a computerprocessor, a dataset of point of sale (POS) terminal transactions toidentify normal transaction patterns; processing, on the computerprocessor, a dataset of transactions that included known fraud toidentify variation patterns between the identified normal transactionpatterns and the data of each transaction; generating, by the computerprocessor, at least one pattern model based on the identified normaltransaction patterns and the identified variation patterns, each patternmodel including classification values for determining a likelihood offraud in transactions; applying, by the computer processor, the model toa current POS terminal transaction to calculate a score indicative of alikelihood of fraud; and outputting, from the computer processor, thescore.
 2. The method of claim 1, wherein data of a transaction withinthe datasets of transactions includes a plurality of data itemsincluding data identifying at least one product ID, a date and time, anda point of sale terminal identifier.
 3. The method of claim 2, whereinthe data of a transaction includes additional data including dataidentifying, directly or indirectly, customer data.
 4. The method ofclaim 3, wherein the customer data includes payment type and amountdata, demographic data, purchase history data.
 5. The method of claim 1,wherein applying the model to a current transaction includes comparingcurrent transaction data to patterns represented in the model to obtaina score indicative of a likelihood of fraud being present in the currenttransaction.
 6. The method of claim 5, wherein: a score is obtained fromthe current transaction data with regard to at least some of thepatterns represented in the model based on the classification values ofthe respective patterns; and potential fraud is indicated when a sum ofthe pattern scores is greater than a sum threshold.
 7. The method ofclaim 6, wherein potential fraud is also indicated when an individualpattern score or a sum of a specific group of pattern scores is greaterthan a threshold for the respective individual pattern or the specificgroup of patterns.
 8. The method of claim 6, wherein outputting thescore includes outputting an indicator of potential fraud.
 9. The methodof claim 8, further comprising: combining the score with a scorereceived or derived from data received from another process; and whenthe combined score is greater than a threshold, outputting anintervention interrupt to a point-of-sale terminal where the transactionis being conducted.
 10. The method of claim 1, wherein the dataset oftransaction processed to identify normal transaction patterns is adataset of transactions of a specific store location for which the modelwill be utilized.
 11. A method comprising: generating, on a computerprocessor, a model from patterns identified in normal and fraudulentpoint of sale (POS) terminal transaction data, each pattern including aclassification value that contributes to a transaction classificationvalue indicating a likelihood of fraud in a given transaction; applying,on the computer processor, the model to a current POS terminaltransaction to obtain classification values to calculate a transactionclassification value indicating a likelihood of fraud in the currenttransaction; and outputting, from the computer processor, the score asan indicator of potential fraud.
 12. The method of claim 11, wherein thenormal and fraudulent transaction data includes a plurality of dataitems including data identifying at least one product ID, a date andtime, and a point of sale terminal identifier.
 13. The method of claim12, wherein the data of a transaction includes additional data includingcustomer data, the customer data including at least two of payment typeand amount data, demographic data, purchase history data.
 14. The methodof claim 11, wherein applying the model to a current transactionincludes comparing current transaction data to patterns represented inthe model to obtain a score indicative of a likelihood of fraud beingpresent in the current transaction.
 15. The method of claim 14, wherein:a score is obtained from the current transaction data with regard to atleast some of the patterns represented in the model based on theclassification values of the respective patterns; and potential fraud isindicated when: a sum of the pattern scores is greater than a sumthreshold; or an individual pattern score or a sum of a specific groupof pattern scores is greater than a threshold for the respectiveindividual pattern or the specific group of patterns.
 16. The method ofclaim 15, further comprising: combining the score with a score receivedor derived from data received from another process; and when thecombined score is greater than a threshold, outputting an interventioninterrupt to a point-of-sale terminal where the transaction is beingconducted.
 17. The method of claim 11, wherein the normal and fraudulenttransaction data the is processed to generate the model of patterns is adataset of transactions of a specific store or a set of stores where themodel will be utilized.